From 648712eec1eedb05965b9b4d6dd457bda5d70481 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 1 Jan 2021 23:41:21 +0100 Subject: [PATCH] httpauth: make multi-request auth work with custom port When doing HTTP authentication and a port number set with CURLOPT_PORT, the code would previously have the URL's port number override as if it had been a redirect to an absolute URL. Added test 1568 to verify. Reported-by: UrsusArctos on github Fixes #6397 Closes #6400 --- lib/multi.c | 4 +- lib/transfer.c | 9 +++- lib/transfer.h | 7 ++- lib/url.c | 4 +- tests/data/Makefile.inc | 4 +- tests/data/test1568 | 87 ++++++++++++++++++++++++++++++++++++++ tests/libtest/Makefile.inc | 7 ++- tests/libtest/lib1568.c | 49 +++++++++++++++++++++ 8 files changed, 158 insertions(+), 13 deletions(-) create mode 100644 tests/data/test1568 create mode 100644 tests/libtest/lib1568.c diff --git a/lib/multi.c b/lib/multi.c index bf439bb8e..d3863c1e9 100644 --- a/lib/multi.c +++ b/lib/multi.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2020, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2021, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -2211,7 +2211,6 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, multi_done(data, result, TRUE); } else if(done) { - followtype follow = FOLLOW_NONE; /* call this even if the readwrite function returned error */ Curl_posttransfer(data); @@ -2219,6 +2218,7 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, /* When we follow redirects or is set to retry the connection, we must to go back to the CONNECT state */ if(data->req.newurl || retry) { + followtype follow = FOLLOW_NONE; if(!retry) { /* if the URL is a follow-location and not just a retried request then figure out the URL here */ diff --git a/lib/transfer.c b/lib/transfer.c index 41bdc353d..7b5a0516d 100644 --- a/lib/transfer.c +++ b/lib/transfer.c @@ -1537,6 +1537,8 @@ CURLcode Curl_follow(struct Curl_easy *data, bool reachedmax = FALSE; CURLUcode uc; + DEBUGASSERT(type != FOLLOW_NONE); + if(type == FOLLOW_REDIR) { if((data->set.maxredirs != -1) && (data->set.followlocation >= data->set.maxredirs)) { @@ -1568,8 +1570,11 @@ CURLcode Curl_follow(struct Curl_easy *data, } } - if(Curl_is_absolute_url(newurl, NULL, MAX_SCHEME_LEN)) - /* This is an absolute URL, don't allow the custom port number */ + if((type != FOLLOW_RETRY) && + (data->req.httpcode != 401) && (data->req.httpcode != 407) && + Curl_is_absolute_url(newurl, NULL, MAX_SCHEME_LEN)) + /* If this is not redirect due to a 401 or 407 response and an absolute + URL: don't allow a custom port number */ disallowport = TRUE; DEBUGASSERT(data->state.uh); diff --git a/lib/transfer.h b/lib/transfer.h index 178bb58fb..f8915dbd1 100644 --- a/lib/transfer.h +++ b/lib/transfer.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2020, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2021, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -36,9 +36,8 @@ typedef enum { allow initing to this */ FOLLOW_FAKE, /* only records stuff, not actually following */ FOLLOW_RETRY, /* set if this is a request retry as opposed to a real - redirect following */ - FOLLOW_REDIR, /* a full true redirect */ - FOLLOW_LAST /* never used */ + redirect following */ + FOLLOW_REDIR /* a full true redirect */ } followtype; CURLcode Curl_follow(struct Curl_easy *data, char *newurl, diff --git a/lib/url.c b/lib/url.c index fd9237de4..45577713e 100644 --- a/lib/url.c +++ b/lib/url.c @@ -2003,7 +2003,9 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, } else { unsigned long port = strtoul(data->state.up.port, NULL, 10); - conn->port = conn->remote_port = curlx_ultous(port); + conn->port = conn->remote_port = + (data->set.use_port && data->state.allow_port) ? + (int)data->set.use_port : curlx_ultous(port); } (void)curl_url_get(uh, CURLUPART_QUERY, &data->state.up.query, 0); diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc index 4b9fc44dc..6aa871bbf 100644 --- a/tests/data/Makefile.inc +++ b/tests/data/Makefile.inc @@ -5,7 +5,7 @@ # | (__| |_| | _ <| |___ # \___|\___/|_| \_\_____| # -# Copyright (C) 1998 - 2020, Daniel Stenberg, , et al. +# Copyright (C) 1998 - 2021, Daniel Stenberg, , et al. # # This software is licensed as described in the file COPYING, which # you should have received as part of this distribution. The terms @@ -187,7 +187,7 @@ test1540 \ \ test1550 test1551 test1552 test1553 test1554 test1555 test1556 test1557 \ test1558 test1559 test1560 test1561 test1562 test1563 test1564 test1565 \ -test1566 test1567 \ +test1566 test1567 test1568 \ \ test1590 test1591 test1592 test1593 test1594 test1595 test1596 \ \ diff --git a/tests/data/test1568 b/tests/data/test1568 new file mode 100644 index 000000000..62d1132eb --- /dev/null +++ b/tests/data/test1568 @@ -0,0 +1,87 @@ + +# based on test 64 + + + +HTTP +HTTP GET +HTTP Digest auth + + + + + +HTTP/1.1 401 Authorization Required swsclose +Server: Apache/1.3.27 (Darwin) PHP/4.1.2 +WWW-Authenticate: Digest realm="testrealm", nonce="1053604145" +Content-Type: text/html; charset=iso-8859-1 +Content-Length: 26 + +This is not the real page + + +# This is supposed to be returned when the server gets a +# Authorization: Digest line passed-in from the client + +HTTP/1.1 200 OK swsclose +Server: Apache/1.3.27 (Darwin) PHP/4.1.2 +Content-Type: text/html; charset=iso-8859-1 +Content-Length: 23 + +This IS the real page! + + + +HTTP/1.1 401 Authorization Required swsclose +Server: Apache/1.3.27 (Darwin) PHP/4.1.2 +WWW-Authenticate: Digest realm="testrealm", nonce="1053604145" +Content-Type: text/html; charset=iso-8859-1 +Content-Length: 26 + +HTTP/1.1 200 OK swsclose +Server: Apache/1.3.27 (Darwin) PHP/4.1.2 +Content-Type: text/html; charset=iso-8859-1 +Content-Length: 23 + +This IS the real page! + + + + +# Client-side + + +http + + +!SSPI +crypto + + +HTTP with Digest authorization on custom CURLOPT_PORT + + +lib1568 + + +http://%HOSTIP/1568 %HTTPPORT + + + +# Verify data after the test has been "shot" + + +GET /1568 HTTP/1.1 +Host: %HOSTIP:%HTTPPORT +User-Agent: lib1568 +Accept: */* + +GET /1568 HTTP/1.1 +Host: %HOSTIP:%HTTPPORT +Authorization: Digest username="testuser", realm="testrealm", nonce="1053604145", uri="/1568", response="9cbbd857a37e45f2bcad5c7d088191df" +User-Agent: lib1568 +Accept: */* + + + + diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc index 9496bd074..28cf92ab7 100644 --- a/tests/libtest/Makefile.inc +++ b/tests/libtest/Makefile.inc @@ -5,7 +5,7 @@ # | (__| |_| | _ <| |___ # \___|\___/|_| \_\_____| # -# Copyright (C) 1998 - 2020, Daniel Stenberg, , et al. +# Copyright (C) 1998 - 2021, Daniel Stenberg, , et al. # # This software is licensed as described in the file COPYING, which # you should have received as part of this distribution. The terms @@ -56,7 +56,7 @@ noinst_PROGRAMS = chkhostname libauthretry libntlmconnect \ lib1534 lib1535 lib1536 lib1537 lib1538 lib1539 \ lib1540 \ lib1550 lib1551 lib1552 lib1553 lib1554 lib1555 lib1556 lib1557 \ - lib1558 lib1559 lib1560 lib1564 lib1565 lib1567 \ + lib1558 lib1559 lib1560 lib1564 lib1565 lib1567 lib1568 \ lib1591 lib1592 lib1593 lib1594 lib1596 \ lib1905 lib1906 lib1907 lib1908 lib1910 lib1911 lib1912 lib1913 \ lib1915 lib1916 lib1917 lib1933 \ @@ -601,6 +601,9 @@ lib1565_CPPFLAGS = $(AM_CPPFLAGS) lib1567_SOURCES = lib1567.c $(SUPPORTFILES) lib1567_CPPFLAGS = $(AM_CPPFLAGS) +lib1568_SOURCES = lib1568.c $(SUPPORTFILES) +lib1568_CPPFLAGS = $(AM_CPPFLAGS) + lib1591_SOURCES = lib1591.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) lib1591_LDADD = $(TESTUTIL_LIBS) lib1591_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1591 diff --git a/tests/libtest/lib1568.c b/tests/libtest/lib1568.c new file mode 100644 index 000000000..2e5d88c70 --- /dev/null +++ b/tests/libtest/lib1568.c @@ -0,0 +1,49 @@ +/*************************************************************************** + * _ _ ____ _ + * Project ___| | | | _ \| | + * / __| | | | |_) | | + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * + * Copyright (C) 2021, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms + * are also available at https://curl.se/docs/copyright.html. + * + * You may opt to use, copy, modify, merge, publish, distribute and/or sell + * copies of the Software, and permit persons to whom the Software is + * furnished to do so, under the terms of the COPYING file. + * + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY + * KIND, either express or implied. + * + ***************************************************************************/ +#include "test.h" + +#include "testtrace.h" +#include "memdebug.h" + +int test(char *URL) +{ + CURLcode ret; + CURL *hnd; + + hnd = curl_easy_init(); + curl_easy_setopt(hnd, CURLOPT_URL, URL); + curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); + curl_easy_setopt(hnd, CURLOPT_HEADER, 1L); + curl_easy_setopt(hnd, CURLOPT_USERPWD, "testuser:testpass"); + curl_easy_setopt(hnd, CURLOPT_USERAGENT, "lib1568"); + curl_easy_setopt(hnd, CURLOPT_HTTPAUTH, (long)CURLAUTH_DIGEST); + curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L); + curl_easy_setopt(hnd, CURLOPT_PORT, (long)atoi(libtest_arg2)); + + ret = curl_easy_perform(hnd); + + curl_easy_cleanup(hnd); + hnd = NULL; + + return (int)ret; +} +